Written specifically for www.agers.es and is available in Spanish as well.
After more than 5 years in the making and thousands of comments received from representatives of 54 participating and observing countries as well as multiple liaison organizations, updated ISO 31000 standard is going through the final stages of feedback and will likely be published in early 2018.
In this short article I will attempt to summarize key changes to the most popular in the world risk management standard ISO31000 and how will the changes impact businesses.
Key changes proposed in 2018 version
No significant changes.
That’s right. 5 years in the making and thousands of comments received and processed and at the end all changes are either cosmetic or reinforcing the messages that were always in there since the 2009 version. This could either mean the 2009 version was already great and just needed more emphasis or it could mean that the members of the ISO TC262 did not have an appetite for change or innovation. It’s actually both and full credit should go to the authors of the ISO31000 2009 version, because the document in its original form already listed all the right principles and concepts.
So, what has changed?
Here are some of the most important changes:
- The document is shorter. It is now only 15 pages (excluding covers and bibliography)
- Number of principles has reduced from 11 to 8 without losing any of the important messages
- The standard reinforces the purpose of risk management. According to the authors, the purpose of the risk management framework is to assist the organization in integrating risk management into all its activities and functions. The effectiveness of risk management will depend on its integration into the governance and all activities of the organization, including decision-making.
- Top management and oversight bodies responsibility is added. They should ensure that risk management is integrated into all organizational activities and should demonstrate leadership and commitment.
- The concept of integration is reinforced throughout the document, here are just few examples:
- Risk management should be a part of, and not separate from, the organizational purpose, governance, leadership and commitment, strategy, objectives and operations.
- Properly designed and implemented, the risk management framework will ensure that the risk management process is a part of all activities throughout the organization, including decision-making, and that changes in external and internal contexts will be adequately captured.
- The organization should continually improve the suitability, adequacy and effectiveness of the risk management framework and the way the risk management process is integrated.
- The risk management process should be an integral part of management and decision-making and should be integrated into the structure, operations and processes of the organization.
- The new standard explicitly states that there can be many applications of the risk management process within an organization, customized to achieve objectives and to suit the external and internal context in which they are applied.
- The standard also addresses the dynamic and variable nature of human behavior and culture which should be considered throughout the risk management process.
These messages are very powerful. They are not new, but they reinforce the type of risk management that is integrated into business activities and key decision-making processes. The type of risk management that is not done on a pre-determined periodic basis (quarterly, monthly, etc.), but instead done at the time of making an important business decision or as part of the business process or activity.
What does it mean for businesses?
Since all the changes are either reinforcing existing ideas or cosmetic, does that mean risk managers don’t have to do anything? I wish I could say that was true for all.
This is true for some risk managers who have been applying the ISO31000 principles since its publication in 2009. In 14 years in risk management, I have probably met less than 10 people like that globally. Nevertheless, here are some examples of successful practices:
- Integrating risk management into strategic planning – the effect of uncertainty on the strategic objectives is assessed at the time the strategy is formulated and not after it was approved by the Board. Risk analysis becomes an important step of the actual strategy setting and update processes. Risk managers use scenario analysis or simulation modelling to present an independent opinion on strategic objectives, the likelihood of achieving them and the impact the risks may have on their achievement.
- Integrating into budgeting – while it is quite common to budget using three scenarios (optimistic, realistic and pessimistic) it may not be sufficient from a risk management point of view. These scenarios are often formed without the risk management team’s participation or even without due consideration of the actual risks, associated with the budget. Thus, even the pessimistic scenarios often do not account for many significant risks, creating an overly optimistic and misleading picture for the executives and decision-makers. Proper risk analysis can bring significant value to the budgeting process. Risk managers should review and improve management assumptions used in scenario analysis or introduce the use of simulation modelling to make sure all important risks are captured and their impact on liquidity assessed. Risk analysis helps replace static, point in time, budgets with a distribution of possible values. It also helps set management KPIs based on the risk information, thus improving the likelihood of them being achieved and reduces the conflict of interest the finance department and management team have in presenting an overly optimistic budget. Risk analysis helps to identify the most critical risks affecting the budget, allowing management to allocate ownership and determine the budget for risk mitigation.
- Integrating into performance management – risk management could be integrated into the performance management cycle of the organization: both at the individual level and the corporate level. One of the risk managers we interviewed shared an example where traditional static corporate key performance indicators (KPIs) have been replaced with dynamic, risk-based, ranged KPIs. This allowed their management to have bands of values instead of a single value. Some KPIs stayed as single value estimates however they were calculated as the 95% percentile of the distribution of possible values based on the Monte-Carlo simulation. Triggers and key risk indicators may also be set for corporate KPIs to improve monitoring and performance tracking. At an individual level, risk management KPIs may be set around risk-based decision making, timely risk mitigation, risk management training grades or an internal audit assessment of the risk management effectiveness in different business units.
- Integrating into investment decision making – the use of simulation allows not only to estimate the range of project costs and expected returns, but also the most significant assumptions made by management that affect key performance indicators of the project.
For them, ISO31000:2018 will be a nice reinforcement of what they have been doing for years. Well done you!
Majority of risk managers in non-financial companies, however, choose to settle for regular risk register updates, period risk reporting and standalone risk management framework documents. All these practices are relatively ineffective and never did align well with the original ISO31000 principles. So, for them, the new standard is a wonderful opportunity to reevaluate current risk management methodologies and start building a business case on why risk management needs to be better integrated into decision making and key business process.
National and international risk management associations have an important role to play in building awareness around the new ISO31000 to help integrate risk management principles into national legislation and government issued guidelines.